Is it safe to change key_type on a running machine with already issued certificates?

This is more of an information query than asking for help but oh well :slight_smile:

1. The problem I’m having:

For a request with a customer we need to generate Json web tokens tied to a certificate, and they require it with specific details (RSA up to 2048bit), not self-signed. The machine currently has Caddy and a handful of DNS records already working well, with the default key type (ed25519 it seems). So i want to use the certificades Caddy generates (On /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domainname) since they’re fully valid and working, and even tied to the right domain name.

2. Error messages and/or full log output:

If i now manually set the key_type to “rsa2048”, will i cause harm? Or regenerate every certificate? Or just start affecting the next issued/renewed certificates? Or will it break something?

3. Caddy version:

v2.7.4 on Debian 11

4. How I installed and ran Caddy:

From the repository for Debian machines

This.

You could delete your existing certs from storage then restart Caddy to force re-issuance with the new key type.

2 Likes